|
Jimmy Cho
|
September 21, 2014 at 7:29 am
Good Morning,
So in order to enhance the security of my client, I am implementing SiteLock into their system, primarily for PCI Compliance since they’re accepting CC#s for Event Registration.
I’m using Event Espresso: 3.1 (latest update)
The SiteLock scan of my site came back with critical XSS Vulnerabilities related to, I believe, the iCal part of the site (I think it’s the link you click to add the event to your calendar)
Here’s the Error
<strong>URL</strong>:https://www.DOMAIN.com?iCal=true¤tyear=2014¤tmonth=09¤tday=20¤ttime=151506&event_id=7&a
mp;registration_id=buofsedq6fnl10bt3u9v47gaq0-541dd1f309c5c2.47376271&contact_email=*EMAIL*&startyear=2014&sta
rtmonth=09&startday=22&starttime=080000&endyear=2014&endmonth=09&endday=26&endtime=170000&event_summar
y=*EVENT*
(PSC55)&eereg_url=https:/www.DOMAIN.com/=https:/www.DOMAIN.com
<strong>Cross site scripting vulnerability found in </strong>
args:contact_email,currentday,currentmonth,currenttime,currentyear,eereg_url,endday,endmonth,endtime,endyear,event_id,event_summary,iCa
l,location,organization,registration_id,site_url,startday,startmonth,starttime,startyear
I’ve removed the Email, Domain, and Event name from the error for safety reasons.
I need to fix these – the obvious method would be to remove the iCal feature – but they really like that aspect of it.
Any thoughts?
|
|
Sidney Harrell
|
September 22, 2014 at 12:10 pm
We are preparing a release which fixes it. After you perform the next update, you should be able to reactivate the iCal feature without the alert.
|
|
Josh
|
September 22, 2014 at 3:06 pm
Hi RJ,
The fix is in Event Espresso 3.1.36.6.p and is available now as an update.
https://eventespresso.com/wiki/change-log/
|
